Solved: How to create an eval and use of like?

jwalzerpitt · ‎09-16-2022

I am trying to an eval with like to assign priority to certain IPs/hosts and running into an issue where the priority is not being assigned. I am using network data to create my ES asset list and I have a lookup that does IP to cidr range and then returns the zone the IP is associated with. Later in my search I rename zone to bunit and right after that I am testing the eval as follows:

| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")

As I am testing the search at the end of my search I have:

| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*

I get a list of all foo related bunit events, but the priority field is set to "TBD"

Would appreciate any help - thx

isoutamo · ‎09-16-2022

Multivalue fields has different behaviour than "normal" single value fields.

Can you try this

eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")

mvfind(MVFIELD,"REGEX")

View solution in original post

isoutamo · ‎09-16-2022

Are you sure that bunit is not a multi value field?

jwalzerpitt · ‎09-16-2022

My apologies as reviewing the search output I need to dedup fields with bunit being one of those fields. Here is my entire search:

index=arp sourcetype=foo_arp NOT mac IN (incomplete) 
| lookup securitygroupmembers_lookup cidr_range as ip 
| lookup dnslookup clientip as ip OUTPUT clienthost as dns 
| fillnull value=NULL 
| search zone!="" 
| eval zone=coalesce(zone,"null")
| rename zone AS bunit 
| eval priority=if(like(bunit,"%foo%"), "critical" , "TBD")
| eval ip=mvdedup(ip), mac=mvdedup(mac), dns=mvdedup(dns), bunit=mvdedup(bunit), device=mvdedup(device), interface=mvdedup(interface)
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface
| search bunit=*foo*

For some reason I am getting dupes in various fields so I use an eval to dedup those fields. With bunit being a multi value field, what effect does that have?

Thx

isoutamo · ‎09-16-2022

Multivalue fields has different behaviour than "normal" single value fields.

Can you try this

eval priority=if(isnotnull(mvfind(bunit,"foo")), "critical" , "TBD")

mvfind(MVFIELD,"REGEX")

jwalzerpitt · ‎09-16-2022

One issue I see is that with using isnull/isnotnull as follows, it tags all values from the bunits field as critical:

| eval priority=if(isnull(mvfind(bunit,"(%foo%)")), "critical" , "TBD")

Is there a better information function (https://docs.splunk.com/Documentation/SCS/current/SearchReference/InformationalFunctions#isstr.28.26...) to use?

jwalzerpitt · ‎09-16-2022

That worked after making a slight change so TYVM!

At first when I used the following, the priority field was still coming back as TBD

| eval priority=if(isnotnull(mvfind(bunit,"fis")), "critical" , "TBD")

However, when I made the change from isnotnull to isnull (and added % to foo) the bunit field was now tagged as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%")), "critical" , "TBD")

Is it possible to search for multiple values in the bunit filed in the eval like as follows? I have a list of zones/bunits I need to tag as critical

| eval priority=if(isnull(mvfind(bunit,"%foo%", "%bar%, "%abc%)), "critical" , "TBD")

Thx again!

isoutamo · ‎09-16-2022

As mvfind use regex to match, you could use what it offer. Easy place to test those is regex101.com.

jwalzerpitt · ‎09-16-2022

Thx again

jwalzerpitt · ‎09-16-2022

bunit just has one value per IP

How to create an eval and use of like?

eval

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?